"Financial Protection Against Cyber Risks"
Cyber insurance types, coverage scope, exclusions, policy considerations, claims process, IRDAI guidelines, and Maharashtra market landscape.
| Coverage Type | What It Covers | Example Scenario |
|---|---|---|
| Business Interruption | Lost income due to cyber incident | Ransomware shuts down operations for 5 days |
| Data Recovery | Costs to restore/recreate lost data | Database corrupted by malware |
| Ransomware Payment | Ransom payment (where legal) | Encryption by ransomware gang |
| Incident Response | Forensics, legal, PR costs | Breach investigation and notification |
| Crisis Management | PR and reputation management | Public announcement of data breach |
| Cyber Extortion | Threats to release data/attack | Threat to publish stolen customer data |
| Coverage Type | What It Covers | Example Scenario |
|---|---|---|
| Privacy Liability | Claims for personal data breach | Customer sues for data leak |
| Network Security Liability | Claims due to security failure | Client suffers loss due to your breach |
| Media Liability | Defamation, IP infringement claims | Copyright claim on website content |
| Regulatory Defense | Fines, penalties, defense costs | CERT-In investigation, DPDPA penalty |
| PCI-DSS Fines | Payment card industry penalties | Non-compliance fines after card breach |
| Contractual Liability | Breach of contract claims | Client claims breach of SLA |
1. Known Vulnerabilities: Incidents caused by known but unpatched vulnerabilities
2. Prior Acts/Prior Knowledge: Incidents that occurred or were known before policy start
3. War/Terrorism: State-sponsored attacks, acts of war (cyber war exclusion)
4. Intentional Acts: Fraud by employees, intentional misconduct
5. Bodily Injury/Property Damage: Physical harm (covered under general liability)
6. Infrastructure Failure: Power outage, ISP failure (not cyber attack)
7. Contractual Liability: Some policies exclude contractual penalties
8. Unencrypted Data: Some policies require encryption for coverage
9. BYOD Devices: May exclude personal device incidents
10. Cryptocurrency: Some exclude crypto-related losses
Waiting Period: Hours/days before business interruption coverage starts (typically 6-24 hours)
Retroactive Date: How far back prior acts are covered
Sub-limits: Lower limits for specific coverages (e.g., Rs. 50L for ransomware within Rs. 5Cr policy)
Retention/Deductible: Amount you pay before insurance kicks in
Coinsurance: Percentage you must bear (e.g., 20% coinsurance)
Aggregate Limit: Maximum payout for all claims in policy year
| Factor | Small Business (less than Rs. 10 Cr revenue) | Mid-size (Rs. 10-100 Cr) | Large Enterprise (Rs. 100+ Cr) |
|---|---|---|---|
| Typical Sum Insured | Rs. 25L - Rs. 1Cr | Rs. 1Cr - Rs. 10Cr | Rs. 10Cr - Rs. 100Cr+ |
| Premium Range | Rs. 25K - Rs. 2L/year | Rs. 2L - Rs. 20L/year | Rs. 20L - Rs. 2Cr+/year |
| Key Coverage | Data breach, Ransomware | + Business Interruption, Regulatory | + Comprehensive coverage, Excess layers |
| Deductible | Rs. 50K - Rs. 2L | Rs. 2L - Rs. 10L | Rs. 10L - Rs. 1Cr |
Questions to Ask:
1. What is the claims history of the insurer in India?
2. Is ransomware payment covered? Any conditions?
3. What are the sub-limits for key coverages?
4. Is regulatory fine/penalty covered (DPDPA, CERT-In)?
5. What is the incident response support provided?
6. Is there a panel of approved forensics/legal vendors?
7. What security controls are required for coverage?
8. How quickly can claims be processed?
1. Immediate Notification (within 24-72 hours):
- Call insurer's claims hotline immediately
- Do NOT admit liability to third parties
- Do NOT make payments without insurer approval
2. Initial Assessment:
- Insurer assigns claims adjuster
- Forensics firm engaged (often from insurer's panel)
- Legal counsel appointed if needed
3. Documentation:
- Incident report and timeline
- Financial loss documentation
- Third-party claims/notices
- Remediation costs and invoices
4. Claim Evaluation:
- Insurer reviews coverage applicability
- Checks for exclusions
- Calculates covered losses
5. Settlement:
- Negotiate settlement amount
- Receive payment (less deductible)
- Post-incident review and lessons learned
| Category | Providers | Notes |
|---|---|---|
| Public Sector | New India, Oriental, United India, National | Basic products, lower premiums |
| Private Sector | ICICI Lombard, HDFC Ergo, Bajaj Allianz, Tata AIG | Comprehensive products |
| Specialized | Chubb, AXA XL, Zurich (through Indian partners) | Large enterprise focus |
Key IRDAI Provisions:
1. Cyber insurance is a specialized product under "Miscellaneous" category
2. Insurers must file products with IRDAI before launch
3. Clear disclosure of coverage, exclusions, and claims process required
4. Reinsurance arrangements for large risks
5. Insurers encouraged to develop standard products for SMEs
Market Trends (Maharashtra):
- Mumbai: Financial services companies leading adoption
- Pune: IT/ITES companies increasingly purchasing coverage
- Healthcare sector uptake growing post-COVID digitization
- E-commerce mandate driving demand
Average Breach Cost (India): Rs. 17.6 Crore (IBM 2023 Report)
Typical Premium: 0.5% - 2% of sum insured
Example Calculation:
- Sum Insured: Rs. 5 Crore
- Premium: Rs. 5L - Rs. 10L per year
- Potential loss covered: Rs. 5 Crore
- ROI if claim: 50x - 100x premium
Recommendation: Essential for data-handling businesses; cost-effective risk transfer